diff options
-rw-r--r-- | USAGE | 8 | ||||
-rw-r--r-- | src/pam_radius_auth.c | 19 | ||||
-rw-r--r-- | src/pam_radius_auth.h | 4 |
3 files changed, 29 insertions, 2 deletions
@@ -83,5 +83,13 @@ accounting_bug - When used, the accounting response vector is NOT validated. This option will probably only be necessary on REALLY OLD (i.e. Livingston 1.16) servers. +prompt=string - Specifies the prompt, without the ': ', that PAM should + display when prompting for the password. This is useful + when using hardware tokens as part of multi-factor + authentication and presenting the same prompt twice would + confuse users. Use prompt=TokenCode (or some other + relevant string different from Password) in this + situation. + --------------------------------------------------------------------------- diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c index 887ee1e..d1ef370 100644 --- a/src/pam_radius_auth.c +++ b/src/pam_radius_auth.c @@ -95,6 +95,9 @@ static int _pam_parse(int argc, CONST char **argv, radius_conf_t *conf) strcpy(conf_file, CONF_FILE); + /* set the default prompt */ + snprintf(conf->prompt, MAXPROMPT, "%s: ", DEFAULT_PROMPT); + /* * If either is not there, then we can't parse anything. */ @@ -140,6 +143,18 @@ static int _pam_parse(int argc, CONST char **argv, radius_conf_t *conf) ctrl |= PAM_DEBUG_ARG; conf->debug = 1; + } else if (!strncmp(*argv, "prompt=", 7)) { + if (!strncmp(conf->prompt, (char*)*argv+7, MAXPROMPT)) { + _pam_log(LOG_WARNING, "ignoring duplicate '%s'", *argv); + } else { + /* truncate excessive prompts to (MAXPROMPT - 3) length */ + if (strlen((char*)*argv+7) >= (MAXPROMPT - 3)) { + *((char*)*argv+7 + (MAXPROMPT - 3)) = 0; + } + /* set the new prompt */ + memset(conf->prompt, 0, sizeof(conf->prompt)); + snprintf(conf->prompt, MAXPROMPT, "%s: ", (char*)*argv+7); + } } else { _pam_log(LOG_WARNING, "unrecognized option '%s'", *argv); } @@ -1123,7 +1138,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c /* check to see if we send a NULL password the first time around */ if (!(ctrl & PAM_SKIP_PASSWD)) { - retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "Password: ", &password); + retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, config.prompt, &password); PAM_FAIL_CHECK; } @@ -1406,7 +1421,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c /* preliminary password change checks. */ if (flags & PAM_PRELIM_CHECK) { if (!password) { /* no previous password: ask for one */ - retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "Password: ", &password); + retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, config.prompt, &password); PAM_FAIL_CHECK; } diff --git a/src/pam_radius_auth.h b/src/pam_radius_auth.h index 5358764..b1ade51 100644 --- a/src/pam_radius_auth.h +++ b/src/pam_radius_auth.h @@ -39,6 +39,9 @@ #include "radius.h" #include "md5.h" +/* Defaults for the prompt option */ +#define MAXPROMPT 33 /* max prompt length, including '\0' */ +#define DEFAULT_PROMPT "Password" /* default prompt, without the ': ' */ /************************************************************************* * Additional RADIUS definitions @@ -69,6 +72,7 @@ typedef struct radius_conf_t { int accounting_bug; int sockfd; int debug; + char prompt[MAXPROMPT]; } radius_conf_t; |